Originally viewed as essentially remotely-readable

(1)

Susan Landau, [email protected]

Security Standards

for the RFID Market

O

riginally viewed as essentially remotely-readable

bar codes, radio frequency identiﬁcation

(RFID) technologies have been available for

many years. However, RFID technology re

cently gained widespread public attention when European

Introducing Emerging Standards

I

EEE Security & Privacy announces the formation of a new department for the magazine—Emerging Standards. Tim Grance, Ramaswamy Chandramouli, and Rick Kuhn, of the US National Institute of Standards and Technology, and Susan Landau from Sun Microsystems, are the co editors of this department, which will concentrate on security issues arising from deployment of new technologies, with a focus on security standards and research challenges. As systems are deployed, security issues must be addressed—not only for the new technology, but also for the technology’s interaction with existing/legacy products and services. This department will highlight security challenges and solutions in the engineering and operation of new technologies as well as signiﬁcant security concerns in existing technologies and applications. Topics include security solutions that are still evolving and areas where new algorithms are required to address vulnerabilities of existing security solutions. Contributions are welcome on these and other topics related to emerging technologies. retailers such as Great Britain’s Marks

& Spencer and Germany’s Metro Group began experimenting with passive RFID tags embedded in indi vidual consumer products, and the US Department of Defense and Wal-Mart announced moves to use pas sive RFID tags for shipment tracking. Other large retailers fol lowed suit, suggesting that RFID technology will become nearly uni versal for shipment tracking in the next few years. As RFID tags con tinue to decrease in price while offer ing increased capabilities, consumers are encountering them in library books, high-end electronics, auto mobile tires, and packaging for household items. Efforts are cur rently under way within the industry that could provide unique identiﬁers for every individual item in the retail supply chain. As further evidence of RFID’s growth, the industry’s stan dards consortium, EPCglobal, re cently awarded Verisign a contract to manage the Object Naming Service (ONS), which will serve as the root directory for the EPCglobal Net work, a system that combines passive RFID technology with electronic product codes (EPCs) to enable busi ness partners to exchange informa tion throughout their supply chains. RFID has also attracted the at tention of security researchers and

hackers. During the 2004 BlackHat conference in Las Vegas, Lukas Grunwald and Boris Wolf released RFDump (www.rf-dump.org), an open-source tool that allows anyone to read RFID tags designed to the ISO 15693 and 14443 standards as well as proprietary standards used in some smart-card ﬁnancial transac tions. In 2005, researchers at Johns Hopkins University also demon strated that an inexpensive toolkit built with a minimal amount of cus tomized hardware can brute-force cryptographic keys from one of the most widely sold RFID tags.1

It’s all about

the application

It’s not an easy task to design, engi neer, implement, and optimize a complex RFID system. When a pas sive RFID tag moves down a con veyor belt at 20 miles per hour, for example, it has only a split second to capture and use as much power as possible from reader devices that can be more than 10 centimeters away. Thus, the RFID system selected for this type of application will depend on the user’s requirements. Some ap plications, however, require higher power demands and a lower toler ance for latency, so the RFID sys tems’ available power, amount of onboard data storage, radio fre quency, and security requirements will vary.

For example, let’s say a rancher needs to identify and track individual cattle from the ranch to the process ing center. Given that cattle tend to chew off ear tags while in the feedlot,

TED PHILLIPS Booz Allen Hamilton TOM KARYGIANNIS AND RICK KUHN US National Institute of Standards and Technology

(2)

Types of RFID technology

R

adio frequency identiﬁcation (RFID) technology can be divided into two main categories:

• Passive systems, such as those used in gasoline station point-of-sale systems and building access control systems, contain no onboard power source. Tags receive their operational power from RFID reader devices. The tag’s antenna captures the radio frequency (RF) energy from the reader, stores it in a capacitor, and then uses it to power the tag’s logic circuits. After completing the requested commands, the tag uses the capacitor’s remaining energy to reﬂect or backscatter a signal to the reader on a different frequency.

• Active systems use tags with onboard power sources, such as batter ies. These tags are used for applications such as tracking cargo and collecting tolls electronically. Active tags can support more sophisti cated electronics with increased data storage, sensor interfaces, and specialized functions. In addition, they use their batteries to trans mit signals back to the RFID reader.

As Figure A shows, an RFID system includes more than just the tag. Advanced security in RFID tags requires additional electronic components to support cryptographic processing, random number generators, key management functions, and other security-speciﬁc features. This increases the amount of energy the tag consumes and increases the latency and transaction times. Passive tags that support security functions must stay within the tag reader’s electromagnetic

ﬁeld longer than simpler tags. For active tags, security features result in slower read times and potentially shorter battery life. Advanced RFID tags, including some with anti-tamper properties, are also ﬁnding their way into supply-chain applications, especially in inter national commerce and the pharmaceutical industry.

The complexity of the RFID market provides a large variety of security features in commercially available tags. However, security features aren’t implemented in a consistent and interoperable manner among different RFID technologies.

RFID tag Integrated circuit Reader Tag antenna Reader antenna a1 a2 a3 a4 b1 b2 b3 b4 Vcc 1 GND 1 2 3 4 5 6 7 8 0 0 Enterprise information system Host computer

Figure A. A radio frequency identiﬁcation system. Such systems incorporate RFID readers, host computers to control the readers, and back-end enterprise information systems to implement business rules.

many ranchers now use implantable low frequency (LF) tags enclosed in glass capsules because they’re less sus ceptible to attenuation from water and living tissue than ultrahigh fre quency (UHF) tags. Such a tracking application requires RFID tags that can be securely attached or implanted in the animals, read through the skin from a relatively close distance to minimize multiple reads, and have limited onboard storage. In most cases, these requirements narrow the RFID tag selection down to a single product category—an encapsulated, LF transponder that has limited read/write capability as speciﬁed by the ISO 11784 and 11785 standards. ISO 11784/5 transponders allow easy reprogramming of ID codes, however, and therefore provide insuf ﬁcient security for applications such as tracking endangered species or high-value show animals. Standards for animal-tracking RFID tags that

meet more demanding security re quirements are now in development.

Policy concerns

Recognizing the growing concerns of consumers and privacy advocates, as well as the relative weaknesses of existing RFID security mechanisms, lawmakers have started to explore ways to protect consumer privacy. For example, the Identity Informa tion Protection Act of 2005—a bill introduced in the California legisla ture in 2004—proposed some of the ﬁrst privacy regulations on the use of RFID technology. Although busi nesses would’ve been able to use RFID to collect the information al ready available from bar codes— product identiﬁcation codes and serial numbers, for example—they wouldn’t have been able to use the technology to track customers once they left the store. The act also would’ve established a temporary

moratorium on embedding RFID in drivers’ licenses and outlawed sur reptitious interception of RFID signals. Responding to privacy con cerns, the American Electronics As sociation convinced legislators in September 2005 to set the bill aside for at least a year while RFID secu rity and privacy technologies im proved. Manufacturers recognize that market success depends largely on their ability to convince con sumers and legislators that RFID products will preserve privacy while improving efﬁciency for retailers.

Businesses that implement RFID security based on proprietary stan dards, such as those used in the point-of-sale systems, potentially in troduce risk to their business and customers because the “security through obscurity” approach almost always yields solutions that are easily compromised. Fortunately, the RFID industry is actively develop

(3)

ing international standards to meet these security needs, such as incor porating the Advanced Encryption Standard (AES) and designing ad vanced authentication techniques into some of the most extensively used RFID systems.

Current

RFID standards

RFID technology is exceedingly di verse: more than 500 tag types are commercially available, including passive, passive, active, semi-active, LF, HF, UHF, microwave, on board sensors, ruggedized housings, and implantable. As RFID technol ogy evolves, standards are showing an interesting interplay between cost and security. RFID applications ﬁt roughly into three categories: • logistical applications that require

fast, low-latency, easy-to-read tags with little or no need for security mechanisms, such as those used for shipping and receiving;

• consumer applications that require security, but not bulk-reading ca pabilities, such as smart cards used in ﬁnancial transactions; and • vertical applications that tailor secu

rity features to a speciﬁc business process, such as the use of RFID-enabled poker chips in casinos.

As RFID tag and infrastructure costs have declined over the past decade, the potential range of RFID applications has expanded, making it economical to embed RFID tags in all sorts of consumer items. As a re sult, we now need tags with both bulk-reading capabilities and secu rity features that protect consumer privacy. In addition, there continues to be a sizeable market for RFID sys tems with semi-custom or highly tailored security mechanisms.

Yet, the addition of security mechanisms doesn’t come without potential trade-offs. Data encryption not only increases a tag’s cost, it re duces the tag’s onboard storage ca pacity and increases the latency of

read cycles. Authentication adds la tency to the read/write process and introduces key-management over head. Other security measures, such as those designed to protect data in tegrity, have similar effects. The overall impact could be to reduce the number of tags read per second in crowded environments such as ware houses, or increase the time per read in high-speed conveyor belt systems. As RFID technology and stan dards continue to evolve, users will place an increasing emphasis on the availability of security features in the products they implement. Table 1 highlights the technical and security features of some important RFID standards. Several technical features have a direct effect on security, such as frequency band, read range, and onboard data capability. In addition, most of the RFID standards have deﬁned one or more security fea tures that provide conﬁdentiality, in tegrity, or availability services.

EPC tags

EPC tags are used for supply-chain and logistical applications—to follow razors on the journey from factory to store, for example—because they’re simple and cheap. The engineers who wrote the EPC standards were focused on producing cost, low-latency tags with high potential read rates that supported tag singulation (separating one tag from a large quan tity of tags). A critical design factor was the physical tag configuration— these tags could be built on flexible substrate material and laminated into smart labels. Security of EPC tags wasn’t initially a high priority. Thus, first-generation EPC tags lack the computational resources for strong cryptographic authentication. Like all passive RFID tags, first -genera tion EPC tags draw power from radio signals emitted by tag readers. EPC tags don’t have internal clocks, and can’t perform any operations inde pendently of tag readers. As a result, they can’t devote much computing power to security operations—at

most, 2,000 gate equivalents. In contrast, common Data Encryption Standard (DES) implementations re quire tens of thousands of gates, and even lightweight AES implementa tions require approximately 5,000 gates,2 which puts them both out of range for today’s ﬁrst- and second-generation passive EPC tags.

Consumer fear over the prospect that RFID technology could be used to surreptitiously read the product IDs of everything they’ve purchased,3 along with pressure from privacy ad vocates, led to the inclusion of the

killcommand in the EPC stan dard. This command, when sent to a single tag by a reader service, renders it permanently inoperable. The ma jority of the logistics community op posed the command’s inclusion because of its potential for unautho rized system disruption, but EPC-global included it in the Generation 1 and Generation 2 standards to pro tect consumer privacy. Executing the

killcommand on individual Gen eration 1 EPC tags is relatively sim ple—it’s protected by only an 8-bit password and no key-management infrastructure is available. Indeed, making the situation worse, some major retailers reportedly ordered millions of tags conﬁgured with the same password. The EPC Genera tion 2 standard, which will be im plemented in the ﬁrst half of 2006, requires longer passwords for pro tecting the command, but there’s still no key-management function.

Smart cards

In contrast to EPC tags, the security features in RFID-enabled, contact-less smart cards, which were driven primarily by the banking commu nity’s needs for protecting wireless payment systems, addressed security issues from the beginning. None theless, power issues are a signiﬁcant concern for the RFID technology used in contactless smart-card trans actions. Passive smart cards (follow ing the ISO 14443 and 15693 standards) have implemented secu

(4)

Table 1. Radio frequency identiﬁcation security features.

TECHNOLOGY TECHNICAL FEATURES SECURITY FEATURES

BAND RANGE DATA CONFIDENTIALITY INTEGRITY AVAILABILITY

(METERS)

EPC Class 0/0+ Ultrahigh 3 64- or 96-bit None in standard. • Parity bit. Identiﬁcation rate (supply chain) frequency with read/write • CRC error detection. >1,000 tags/sec.

(UHF) (R/W) block

EPC Class 1 UHF 3 64- or 96-bit None in standard. • Commands have Lockcommand

Generation 1 with R/W block 5 parity bits. permanent and

(supply chain) • CRC error detection. not protected.

EPC Class 1 UHF 3 R/W block • Masked reader-to-tag • CRC error detection. Numerous readers

Generation 2 communications using the can operate in

(supply chain) one-time pad stream cipher. dense conﬁgurations.

• Tags addressed by 16-bit random numbers.

ISO/IEC Low < .010 Up to 1 • No protection on • CRC error detection. None in standard. 18000-2 frequency Kbyte R/W the readcommand. • Permanent, factory

(item (LF) • “Reader talks ﬁrst” protocol. set 64-bit ID.

management) • No encryption • Optional, lockable

or authentication. identiﬁer code.

ISO/IEC High < 2 R/W • “Reader talks ﬁrst” protocol. • CRC error detection. Multiple tag modes

18000-3 frequency • 48-bit password • No write are noninterferring.

(item (HF) protection on protection in

management) readcommands. Mode 1.

• “Quiet mode” in which tags • Mode 2 has 48-bit won’t respond to readers. password on

writecommands.

ISO/IEC LF < .010 64-bit • “Reader talks ﬁrst” protocol. • Retagging counter. None in standard. 11784-11785 identiﬁer • Tags addressed by 16-bit • CRC error detection.

(animal random numbers.

tracking) • Quiet mode.

ISO/IEC 10536 HF < 2 R/W • “Reader talks ﬁrst” protocol. • CRC error detection. • Probabilistic/slotted

(contactless • Masked reader-to-tag random

anti-smart cards) communications. collision algorithm.

• Tags addressed by • Multiple tag modes

random number. are noninterfering.

• Quiet mode.

ISO/IEC 15693 HF 1.5 Up to • No protection on the • Optional protections Optional password (vicinity smart 1Kbyte R/W readcommand. on writecommand. protection on the

cards) • No onboard encryption or • Error checking on lockcommand.

authentication. air interface.

rity features, including crypto and security threats to these cards are ing their products and then extend graphic challenge-response authen still significant. Government and in- them with proprietary features tai tication, for years. Newer releases of dustry will continue to refine the lored for specific vertical applica these cards include the 128-bit AES, risk-mitigation strategies for these tions. For instance, Philips’ Mifare triple-DES, and SHA-1 algorithms. cards over the coming years. technology, which is used exten-As a result of the increased overhead, Few RFID smart cards on the sively in Europe for access to mass the smart cards must be placed close market are built around “pure” transportation, is built around the to their readers for relatively lengthy standards-based implementations. ISO 14443 air link standard but is periods to be read. Despite these ad- Most vendors use the basic standard supplemented with a proprietary vanced security features, the privacy suites as starting points for develop- data format and security features.

(5)

Interoperability is also a concern for devices using RF. Some of the unlicensed frequencies used for RFID in the US are used for mobile phones in Europe and Asia, for ex ample. Conformance testing and certification are essential for reduc ing interoperability problems with any standard, even with the develop ment of multiprotocol, frequency-agile reader devices. Most RFID testing is conducted under the auspices of relevant industry groups. For example, new ISO/Interna tional Electrotechnical Commission (IEC) 14443 contactless smart-card platforms might receive MasterCard certification for use in e-commerce. EPCglobal has recently contracted with third-party laboratories to con duct conformance testing for Gen eration 2 EPC standards. At the same time, EPCglobal has established a working group to submit the EPC Generation 2 protocols for ISO stan dardization (ISO 18000-6c). Iron ically, one risk of international standardization is that a protocol might be modified as it moves through the process, so the EPC group will try to maintain consis tency with the current specification.

A

s the RFID market expands, we’ll see the continued prolifer ation of RFID tags built for highly specialized vertical markets, which means greater variety and the conse quent need to ensure interoperabil ity. A great deal of research and development is currently under way in the RFID security ﬁeld to miti gate both known and postulated risks. Manufacturers, business man agers, and RFID systems engineers continue to weigh the trade-offs be tween chip size, cost, functionality, interoperability, security, and pri vacy with the bottom-line impact on business processes. In the coming months, security features supporting data conﬁdentiality, tag-to-reader authentication, optimized RF pro tocols, high-assurance readers, and

secure system engineering princi ples should become available.

Security and privacy in RFID tags aren’t just technical issues; im portant policy questions arise as RFID tags join to create large sensor networks and bring us closer to “ubiquitous computing.” With pub lic attention focused on the RFID landscape, security and privacy have moved to the forefront in RFID standards work, and the results will be worth watching.

Acknowledgments

Certain commercial entities, equipment, or ma terials may be identiﬁed in this article in order to describe an experimental procedure or concept adequately. Such identiﬁcation is not intended to imply recommendation or endorsement by the US National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose.

References

1. S.C. Bono et al., “Security Analy sis of a Cryptographically-Enabled RFID Device,” Proc. 14th Usenix Security Symp. Usenix Assoc., 2005, pp. 1–16.

2. O. Günther and S. Spiekermann, “RFID and the Perception of Control: The Consumer’s View,”

Comm. ACM, vol. 48, no. 9, 2005, pp. 73–76.

3. A. Juels and S. Weis, “Authenticat ing Pervasive Devices with Human Protocols,” Advances in Cryptology: Proc. 25th Int’l Cryptology Conf., LNCS 3126, V. Shoup, ed., Springer-Verlag, 2005, pp. 293–309.

Ted Phillips is a senior associate at Booz Allen Hamilton. His research interests include RFID engineering, supply-chain automation, and information security. Phillips has an MS in telecommunications from Virginia Commonwealth University. He is a member of the International Soci ety of Logistics Engineers and EPCglobal. Contact him at [email protected].

Tom Karygiannis is a senior researcher at the US National Institute of Standards and Technology. His research interests include wireless security, ad hoc net works, and mobile commerce. Karygian

nis has a PhD in computer science from George Washington University. Contact him at [email protected].

Rick Kuhn is a computer scientist with the US National Institute of Standards and Technology. His research interests include information security, software veriﬁcation and testing, and empirical studies of soft ware failure. Kuhn has an MS in computer science from the University of Maryland at College Park. He is a senior member of the IEEE and the IEEE Computer Society. Contact him at [email protected].